From owner-freebsd-stable@FreeBSD.ORG Tue Feb 4 23:34:57 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 83A84721 for ; Tue, 4 Feb 2014 23:34:57 +0000 (UTC) Received: from nm28-vm3.bullet.mail.ne1.yahoo.com (nm28-vm3.bullet.mail.ne1.yahoo.com [98.138.91.158]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 3F4C61A42 for ; Tue, 4 Feb 2014 23:34:56 +0000 (UTC) Received: from [98.138.101.132] by nm28.bullet.mail.ne1.yahoo.com with NNFMP; 04 Feb 2014 23:34:50 -0000 Received: from [98.138.226.56] by tm20.bullet.mail.ne1.yahoo.com with NNFMP; 04 Feb 2014 23:34:45 -0000 Received: from [127.0.0.1] by smtp207.mail.ne1.yahoo.com with NNFMP; 04 Feb 2014 23:34:45 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1391556885; bh=rxZw2dsf4UHe/Sc+SnwRZg6sr1Ok71SgknlkGhVc8N0=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:X-Rocket-Received:Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer; b=h8R7Lax0flGdhDs/Q6iauYUmtUQHFFHtWsjZUXTGxA2Og0a+lyabQWWbRfD/a+3593mQ+fdircNba2hunngEsXUW0bXS4ISC/H2jFIjCvXQ8Uyn5WsmN+PpzvENS+x8Nn3uGJ2F8PdRT7tj7KaxVO9JRr136j1rIvbffu6oF9XU= X-Yahoo-Newman-Id: 796784.87775.bm@smtp207.mail.ne1.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: p1KzD_EVM1n5AsdNmuVw5Ea9tSJeRDQxjjXsagOgc6gBsPo d5YHDgWG6PTqT9rbcuJbL33iXpJw3xgvi5Uw9xN6yE8j9y_n0IuHfxLr3VQb yc7M0uyzSq3k_r.1B0f3_EQIb4uAN80z_RCG_1lHernfEZuVJocsg11iH6nW VBtto9FkfpH8lB0s_5fWNv.cvrn99MQaGRK6tN.IlGji3t.xLJpAHdsqmzhe hfb7GuBBZCyX5fqm5ilszP.44eAzqRhH2PPifotjIkBTfi1yVFwFK7NkmymU IcNrp6.kWZiL0ZlTbNNhoCJp_Z8OQylNMuI85X2bmYvtaJLzdrQF5QDcWxQw DW9Sfq0OG7pUI.dL4MynGbBLIRqWF8PqrVTGussdnnGZ3afsUdCojBWN8fQF gRAnr6QfOO7g0O1k.1bzZTTLx1rskrZGsKReIV6er31w0FJ_DrxYjQnZTPbk 76SYQvpTBrfXA9dg26GMeKy_QJxSsM0sL9FHYNmU5n798YlP3jYoaF0LXsW8 A4j_qQ21kVcwhvkNobm.KOePKH8yHlAk467Rx8gv86yqWZ2PncN8d210sSHa BmL.40IEV X-Yahoo-SMTP: clhABp.swBB7fs.LwIJpv3jkWgo2NU8- X-Rocket-Received: from lgmac-eding.corp.netflix.com (scott4long@69.53.236.251 with plain [63.250.193.228]) by smtp207.mail.ne1.yahoo.com with SMTP; 04 Feb 2014 15:34:40 -0800 PST Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Re: Heap overflow in mps(4) (was: Re: stable/9 mps(4) rev 254938 == BOOM!) From: Scott Long In-Reply-To: <21233.25909.355102.743155@khavrinen.csail.mit.edu> Date: Tue, 4 Feb 2014 16:34:36 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <21225.19508.683025.581620@khavrinen.csail.mit.edu> <201401292137.s0TLbD5G006716@hergotha.csail.mit.edu> <20140129221514.GA47535@nargothrond.kdm.org> <21225.38749.179621.454579@khavrinen.csail.mit.edu> <20140131003342.GA11755@nargothrond.kdm.org> <21233.25909.355102.743155@khavrinen.csail.mit.edu> To: Garrett Wollman X-Mailer: Apple Mail (2.1827) Cc: freebsd-stable@freebsd.org, "Kenneth D. Merry" , "FreeBSD-scsi@freebsd.org" X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 Feb 2014 23:34:57 -0000 On Feb 4, 2014, at 3:09 PM, Garrett Wollman = wrote: > < said: >=20 >> The fact that the redzone code doesn't expose any problems makes it = more >> likely that it is a problem other than a heap overflow. >=20 > So I built a new kernel with DEBUG_MEMGUARD. When > vm.memguard.desc=3D"mps", everything works fine both through two > load/unload cycles and statically compiled into the kernel. When > vm.memguard.desc is not set, instapanic as before. (I'm trying > memguard rather than redzone as it has much less of a performance > impact, so I can start doing some of the performance testing I was > originally intending to do. >=20 > Are there any debugging options that I could usefully enable that > would show just what mps is doing when the fault happens? I see that > there are lots of tracing options but I don't know what would actually > be useful. >=20 Try the patch at http://people.freebsd.org/~scottl/mps.memguard.diff I haven=92t even compile tested it, so hopefully any mistakes are easy = to fix and aren=92t too embarrassing. The target array is an obvious culprit = since it=92s often indexed without bounds. If this doesn=92t fix it then I=92ll have = to think of some other culprits. Another next step would be to further divide and = test the M_MPT2 malloc allocation type. Scott